Kong: [feature] JWT - Send payload as headers to upstream server

Created on 15 Jan 2017  路  8Comments  路  Source: Kong/kong

Summary

I use JWT plugin.
I craft all my JWT tokens using 1 single Consumer named 'auth-server'
The end-user email is encoded in the JWT payload.

{
  "sub": "1234567890",
  "email": "[email protected]",
  "iss": "ec9493fb1af244d5a80c9ce8fefa2c1f"
}

I want my upstream server to receive the end-user email as Header.

example:

X-JWT-Payload-Email: [email protected]
or
X-Email: [email protected]
or
...

Use case

  • Easier to test the upstream server application
  • No need to handle/install anything JWT-related (decode/verification) in the upstream server
tasfeature
Source
picture ghost
👍7

Most helpful comment

This feature would be very nice indeed. However, passing the payload, as mentioned, in a "X-JWT-Payload" header would be enough. This gives the opportunity to parse the JSON on API / Microservice level, in contrast to hardcoding headers based on what the payload contains.

picture jovanmaric on 8 Feb 2017
👍6

All 8 comments

imo this should be done in a dual-plugin approach:

  1. plugin to extract and store data in a request specific table
  2. plugin to modify/insert request elements based on the request specific table

see also; https://github.com/Mashape/kong/issues/550#issuecomment-267298980. Much of the application logic can be shared this way.

Tieske picture Tieske on 15 Jan 2017

@pouledodue I have done a proof of concept here:
https://github.com/wshirey/kong-plugin-jwt-claims-headers

You also need to account for requests that already have those headers set. You may could remove them with a request transformer before the jwt-claims-header executes.

This comes with no support :)

wshirey picture wshirey on 17 Jan 2017
👍31

@wshirey I will try it tomorrow

ghost picture ghost on 19 Jan 2017

This feature would be very nice indeed. However, passing the payload, as mentioned, in a "X-JWT-Payload" header would be enough. This gives the opportunity to parse the JSON on API / Microservice level, in contrast to hardcoding headers based on what the payload contains.

jovanmaric picture jovanmaric on 8 Feb 2017
👍6

agree with @jovanmaric, a base64 encoded payload in a custom http header might be enough? no need to populate one http header for every key in the payload

gottfrois picture gottfrois on 16 May 2017

yes would be enough

ghost picture ghost on 16 May 2017

Any update on that? Do you plan to integrate this feature in kong?
The work of @wshirey seem great but you can't directly use it with kong's docker image.

lodow picture lodow on 17 Jul 2017

If anyone gets here, I've written a plugin that does exactly this https://github.com/vnwonah/kong-token-to-header-extractor

vnwonah picture vnwonah on 6 Apr 2020
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

timusketeers picture timusketeers  路  36Comments
DavidTPate picture DavidTPate  路  35Comments
grillorafael picture grillorafael  路  42Comments
throrin19 picture throrin19  路  39Comments
jason-riddle picture jason-riddle  路  40Comments